Uncovering Hidden Risks 4.24.24
Ep 17 | 4.24.24

Understanding Cloud Native Applications Protection Platform (CNAPP)


Erica Toelle: Hello and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, Senior Product Marketing Manager on the Microsoft Purview team. And now, let's get into this week's episode. [ Music ] Welcome to another episode of the "Uncovering Hidden Risks" podcast. Organizations are facing constant challenges to prioritize what's important in cybersecurity. Current tools often work in isolation, and it can be a challenge to rationalize insights. In this episode, we will discuss how you can use a cloud-native application protection platform to solve these challenges. Let's introduce today's guest who will join us for the discussion. Giulio Astori works as a Principal Program Manager for Microsoft Defender for Cloud. Throughout his 17 years with Microsoft, he has worked in various roles, including as a data analyst for cybersecurity and as an incident handler. He enjoys keeping a keen focus on security and its many dimensions. Welcome, Giulio.

Guillio Astori: Hello. Welcome, Erica. Welcome to everyone. My name is Giulio Astori, and as Erica briefly already introduced me, I'm a Principal Program Manager for Microsoft Defender for Cloud. And I'm here today to walk you through the journey of understanding cloud-native application protection platform.

Erica Toelle: Excellent. Also joining us today is our guest, Yuri Diogenes. Yuri has been at Microsoft for the past 18 years. In his current role, he manages a product management team for the Defender for Cloud product. Yuri is also a university professor and a published author with more than 30 book releases. Welcome, Yuri.

Yuri Diogenes: Hi, Erica. Thanks very much for having me on. I appreciate it.

Erica Toelle: And with that, let's dive into today's topic. Giulio, could you please start by explaining what a cloud-native application protection platform is and why it's useful?

Guillio Astori: Thank you, Erica, for that question. CNAPP, which is the acronym for cloud-native application protection platform, is a comprehensive and advanced security approach/framework, which is designed for the protections of cloud-native applications. It combine several security mechanism, including cloud security posture management, also known as a CSPN, cloud workload protection platform, also known with the acronym CWPP, DevSecOps, and identity entitlement management. All this is included into a cohesive platform that offer comprehensive security throughout the application lifecycle in a multi-cloud environment. CNAPP enhances visibility and control across various cloud services, facilitating better management and security of the cloud resources. It provides a unified, holistic approach to securing cloud-native application and data from development to deployment while leveraging integrated adaptive security measure fitted to the dynamic nature of the modern cloud environments.

Erica Toelle: Thank you. Why is a CNAPP so important for today's customers to improve their cloud environment security posture and protect their workloads?

Guillio Astori: The importance of the CNAPP in today's cloud-centric world cannot be overstated. Cloud environments are not only becoming more prevalent, but also more complex. The shift towards digital transformation has led organizations to adopt cloud technologies at an unusual rate. That introduced a variety of security challenges and risks. This is where CNAPP steps in. CNAPPs will step in, serving as a crucial component in enhancing cloud environment security posture and protecting the workloads. First, CNAPP is comprehensive in nature. It's comprehensive solution by nature and addresses the inherent complexity of a cloud environment, unifies various security tools and practices into a single platform, offering an holistic view of an organization cloud security posture. Such integration is very important. It's vital for identifying and addressing vulnerabilities across the entire cloud infrastructure, from development to deployment and finally to operations. CNAPPs facilitates a proactive approach to security, moving behind ordinary detection to actively prevent security breaches. Furthermore, the importance of CNAPP is underscored by the growing threat landscape. Several attacks are becoming more sophisticated, targeting cloud environments with advanced techniques that traditional security measure often fail to counter. CNAPPs, on the other hand, is very predictive and use analytics, artificial intelligence-driven insight, which enables organization to stay ahead of those threats, identify potential vulnerabilities before they can be even exploited. Such proactive threat intelligence is crucial for maintaining integrity and the availability of the cloud workload. Additionally, CNAPPs' importance is magnified in the multi-cloud environment, with organization-leveraging services for multiple cloud providers, managing security constantly becoming a significant challenge. CNAPPs provide a unified view that aggregates data across all cloud platform, enabling seamless security management and compliance across diverse environments. Such centralized control is essential for ensuring that security policies are consistently applied, reducing the risk of misconfiguration and compliance violations. Another key aspect of CNAPPs' importance lies in its ability to enhance collaboration between development and security. That's a such important aspect. By integrating security early in the development process, CNAPPs will bridge the gap between those things, fostering a culture of security by design. This collaboration is critical for embedding security into the DNA of the cloud application, which will ensure they are built with a robust security measure right from the get-go, right from the ground up. To conclude, in summary, the importance of CNAPPs today is multi-phased. It address the complexity and the dynamics of the modern cloud environment and will contrast the evolving threat landscape and will ensure consistencies across multi-cloud setups. It promotes also a culture of proactive security.

Yuri Diogenes: All right, Giulio, that was a great explanation. I love the fact that you brought some facts about CNAPP. Now, since you touched on this point, I'd like a little clarification because it's very important to the listeners to understand the difference between CNAPP and cloud security posture management. Since both are leveraged to improve the overall security posture, what's really the key difference between those two platforms?

Guillio Astori: Yuri, this is a great questions, and I really thank you for asking. CNAPP and CSPM, CSPM is the acronym, obviously, for cloud security posture management, so they are interconnected. They fulfill distinct role within the cloud security ecosystem. First of all, CSPM will zero in on the risk tied to the cloud configuration. It scans for misconfigurations, compliance breaches, and other security hazards that could lead to the breach. The goal of the CSPM is to align cloud setups with the security best practices and compliance mandates, ensuring a secure compliance state across all the clouds platform. CNAPPs, on the other hand, offers a broader cloud security strategy. While incorporating CSPM, CNAPP scopes extends to a suite of security measure, safeguarding cloud-native application throughout the entire lifecycle. Behind the misconfiguration fixes, it covers workload security, application security by shifting left, identity management, and threat detection response. Thus, CSPM underpins the core of cloud security by securing the configurations and adhering to the regulation. CNAPPs, however, broadens this foundation to tackle a wide array of cloud security issues, like runtime threats, API security, and security development and deployment of the cloud-native application. Furthermore, CNAPPs distinguish itself by emphasizing the contextualization of the security insight. This is a very important factor. What that means? This means it's not only identifying security vulnerability but also understands them within the specific context of an organization cloud environment. Such approach allows for more nuanced risk assessment, prioritizing issues based on their actual impact to the business. This level of insight is very crucial for effectively allocating resources to address the most pressing security challenges first, enhancing the overall security posture with an intelligence-driven decision. Basically, CSPM is a critical aspect of the whole CNAPP, will set the groundwork for secure cloud setups first, but yet the CNAPPs will mark the leap in the cloud security platform by offering a comprehensive security model that exceeds post-management into integrate extra protective layer for such a robust cloud security posture.

Erica Toelle: You mentioned the buzzword "shifting left," and that's not something I've heard a lot about. Could you expand on this topic and clarify how it fits into CNAPP and security in general?

Guillio Astori: Yes, absolutely, Erica. So the concept of shifting left has indeed become a buzzword in the world of the cloud security. But it's much more than just a trend. It's a fundamental shift in how we, as a security practitioner, approach the security in the development lifecycle. Shifting left refers to the practice of integrating security measures early in the software development process rather than handling them as final steps before deployment. The idea is very simple and is to address security concern as close to inceptions of a project as possible, effectively shifting those consideration to the left on the timeline of the project development lifecycle. This approach is grounded in the belief that tackling security from the beginning is not only more efficient but also significantly reduce the risk of vulnerability in the final product. Now, in the context of CNAPP, shifting left is a core principle. The CNAPP framework are designed to integrate [inaudible 00:12:13] into the development process, providing developers with the tools and insights needed to build security in their application from the ground up. This could involve automated security scanning of the code, infrastructure as a code analysis, configuration management, and more. By embedding those security practices early in the development lifecycle, CNAPPs helps ensure that security is a foundational element of a cloud application rather than afterthought. Additionally, shifting left aligns with a broader trend towards DevSecOps, which emphasizes the integration of security practices with both development, and that's the so-called dev, and the operation, which is the so-called apps discipline. By fostering the culture where security is everyone responsibility, organization can create more secure application, will improve compliance, and reduce the time and the cost associated with fixing security issues later in the development process.

Erica Toelle: Thanks. I appreciate how you've defined CNAPP, what it is, and how it helps organization security. Yuri, what are your thoughts about how organizations can start to plan for CNAPP adoption?

Yuri Diogenes: Yeah, so the first step is really understanding your current state. What is the security state of your workloads? So, in order to do that, you need to discover which workloads you have because, as Giulio mentioned, one of the challenges when we are tackling this cloud security environment is that customers may have -- may be using multiple cloud providers, which is a trend nowadays. You have resources in different cloud providers. So the question now is, okay, which workloads are distribute across different cloud providers as well as on-premise? So I have to have discoverability in place to understand my assets and then assess the security state of those resources. Understand the security posture of each workload is imperative to start this journey of adopting CNAPP because that's how I'm going to start: by doing what we call secure hygiene, understanding the security state, and then elevating the security posture of those workloads. And the advantage of using CNAPP-based approach to do that is because CNAPP is intelligent enough to not only scan those artifacts but will also give me contextual information about what needs to be addressed first. Because what's going to happen in the beginning when you're doing this discoverability and assessment, you're going to have a lot of workloads that needs to be remediated, right? For example, 100 storage accounts, thousands of VMs. So the question that comes is, how can I prioritize this? What is really important to my environment? And that's where CNAPP is going to pay off is because it's going to enumerate which resources you should prioritize based on the risk factors that we will do during the initial assessment. For example, if you have, let's say, 100 storage accounts that were discovered and 50 out of those 100 are high severity, which one you should do first? So what CNAPP is going to do is, okay, out of those 50, there are 10 that are critical because they have PII. So you really need to improve the security posture of those storage accounts first. So that's the initial beginning of this journey of adopting CNAPP is doing the discoverability, scanning, assessment, and then remediating those resources and then keeping moving on to the next phase, which is enhancing the protection of the workloads by enabling threat detection. All right, so besides the things that I said, I'd like to plug in Giulio again on the conversation because I would like to understand from him if he has some experience that he could share with his interaction with customers about the implementation of CNAPP using Microsoft CNAPP, also known as Defender for Cloud. So Giulio, do you have some insights, some experience that you could share?

Guillio Astori: Oh yeah, I have many, absolutely. I will be happy to share at least one story. Let me tell you first that while the specific name of this organization cannot be shared, this is an example from a financial service organization. It's a bank. Okay? But for privacy, we cannot obviously share any name. This organization faced significant challenges in manage its cloud security posture. They leveraging a vast array of cloud services spread across multiple providers. AWS, Azure, Google, you name it, they have them all. For such, they struggle with the visibility into their cloud environment. They struggle with applying consistent security policies. And they struggle with the ability to respond swiftly to emerging threats. Their journey towards adopting a cloud-native application protection platform solution, such as a Microsoft Defender for Cloud, was a valuable insight into their planning and implementation process, as well as the actual outcomes that were achieved. First of all, the bank initiated its CNAPP adoptions with a very comprehensive assessment of its existing cloud security practices infrastructure, just like you mentioned early, Yuri. This assessment revealed fragmented security tools, inconsistent compliance practices, and a lack of real-time threat intelligence across the cloud workloads. They choose a CNAPPs solution by diligently do a research and proper planning. At the end of the day, they select Microsoft Defender for Cloud. At that point, once implemented, the organization, the bank, began by integrating Defender for Cloud capabilities across their multi-cloud environment. Such integration provided immediate visibility into potential vulnerabilities, misconfigurations, and non-compliant resources. One of the key steps was leveraging Defender for Cloud automated compliance assessment, which was a crucial step for ensuring adherence compliance to the financial industry regulation and standards. Another important aspect, which actually, I should say, a very significant aspect of the CNAPP strategy that this bank adopted, was the emphasis on shifting left. And here we go again with the buzzword shifting left. They embedded security early in their development lifecycle. By utilizing Defender for Cloud security recommendation and the automated threat detection with their DevOps pipeline, the bank significantly reduced their risk of vulnerabilities, making it in production. So the vulnerabilities before the actually the product went in production. So what were the outcomes? The results were very transformative. The bank saw a dramatic reduction in misconfiguration and compliance issues thanks to the continuous monitoring and automated remediation capabilities of Defender for Cloud. Furthermore, by consolidating their security tools into a single CNAPP solution, they achieved greater operational efficiency and more cohesive security posture. Perhaps one of the most impactful outcome was the enhancement of the bank's ability to respond to the possible threats. With the Defender for Cloud, advanced threat protection, and AI-driven insight, the bank practically identified and mitigated threats before they resulted in breaches. Such proactive stance on security not only protect the bank critical data but also, and this is very important, bolster its reputation for reliability and trustworthiness in the financial sector. So, to conclude this story -- this case study, I want to say that such story amplifies the power of a CNAPPs approach, especially when leveraged to a comprehensive solution such like Microsoft Defender for Cloud. For organization embarking on the adoption of a CNAPPs journey, they can underscore the importance of a complete planning and integration across all the environment, and the benefits are very high. The bank's success story serves as a testament to the transformative potential of the CNAPP solutions in enhancing the cloud security, but not only the compliance but, most importantly, the operational efficiency.

Erica Toelle: I think that a lot of listeners would love to replicate the success that the company you just described had with increasing their security posture and having more visibility into priorities. And I think actually you recently released an e-book covering best practices for CNAPP deployment. Something that stood out for me in the book was how you described different maturity levels for customers when adopting a CNAPP. Could you tell us a bit more about what you found in regard to the maturity levels?

Guillio Astori: Absolutely, Erica. So, in my experience, organizations embarking on their CNAPPs journey often display variable levels of maturity in terms of their security practices and capabilities. So, bear with me. Those maturity levels range from organizations with a minimal cloud security practice in place to those that have highly sophisticated integrated security operation spanning through the entire cloud ecosystem, much like a CNAPP maturity model that we outlined in the e-book. The model categorize maturities into stages: traditional, advanced, and optimal. Each of those stages will reflect the specific attributes: invisibility, security practices, tool utilizations, and incident readiness. Initially, organizations may find themselves at the traditional level. Nothing wrong. They will rely on variety of tools for managing vulnerabilities and manual workflow for remediating those security findings. This is the stage that is characterized by a very reactive approach to the security, where measures are often implemented in response to the actual detected threats. So now, as organizations are moving along to those maturity stages, they will move from the traditional stage to what we call the advanced stage. Here, in the advanced stage, we see a shift towards more of unified and proactive security measures. Those measures will include a centralized vulnerability management and a proactive identification and mitigation of the potential attacks. It is a significant step forward for the organizations to begin to employ predictive analytics and AI-driven insight to preempt those potential security breaches and moving from reactive to more proactive security postures. But the journey doesn't stop there. In order to reach the maximum level of maturity, the optimal stage, that involves the sophisticated integration of solutions such as CNAPPs, with its capability and the emphasis on comprehensive risk mitigation, on proactive vulnerabilities, and risk hunting, and the establishment of proper governance practices to ensure the continuous improvement of the security posture. At this level, you know, the optimal level, security is not just an IT concern but a strategic business enabler, contributing to operational efficiency and resilience against all the threats. By following such model, organizations can systematically enhance their security posture, moving from the basic to advanced maturity level. And these progressions will involve not only the adoptions of advanced tool and practices but also a cultural shift towards prioritizing security across all aspect of cloud computing. In essence, the path to improve the security maturity involves a strategic application of the CNAPPs principle, aligned with continuous evaluation and optimization effort to achieve a robust, integrated security strategy. This journey underscore the transformative potential of CNAPPs by will elevated in an organization's security capabilities and will position it to succeed in today's dynamic digital landscape.

Yuri Diogenes: Giulio, thanks for the overview about CNAPP maturity level. We've been working on this maturity model for quite some time. I'm really proud of the work on the e-book that we documented this. But I would like to ask you if you have any additional tips for how organizations can increase their maturity level.

Guillio Astori: So absolutely, Yuri. As I mentioned, we have three stages in our maturity level. You know, going from the beginning stage, in which we call traditional, moving along into advanced, and finally, the optimum level. Each of those stage is a journey of itself. The journey comprise of several steps and several processes, including moving from being reactive to more proactive. So, if I have to give my recommendation, suggestion to an organization that is starting embracing a CNAPP principles and how to effectively move it along those maturity stages is to follow each step within the stage. And very important, as you follow those steps, implement a true metric that will allow you to measure yourself against the efficiency of your processes. Once you have those metrics in place, you can see how your progress goes. And then you will see where there is a need for more work to be done. By doing so, I almost guarantee that in no time, you can very quickly move from the low-end, traditional stage to at least the middle stage, which is obviously the advanced. A little more work will need to be on the optimal stage, but that's something that you can reach 100%. Again, the key here is, regardless the processes and all the technology involved in to achieve the next level, you need to measure yourself and continuously measure for the improvement.

Erica Toelle: Perfect. And for those listening, if you would like to learn more about best practices for CNAPP deployment, including the maturity stages, you can download the e-book at aka.ms/mscnapp. And the link is also in the show notes. So maybe looking ahead to the future, what's next for CNAPP?

Guillio Astori: What a question, Erica. One-million-dollar questions, kind of like need to read in the future. So let's give it a try. So the future of CNAPPs is as dynamic and innovative as the cloud computing landscape itself today. As organization continue to evolve to the digital infrastructure and to the digital transformation, CNAPP solutions will also need to adapt and expand to meet the new challenges and needs to leverage all those emerging technologies. Here is what I can anticipate as the next phase of the CNAPP. Greater integration with emerging technologies. We all hear a new buzzword, which is not a buzzword but is the word of artificial intelligence. We were likely to see CNAPP solutions integrated more closely with those cutting-edge technology, such as artificial intelligence. For instance, AI could be used to enhance the threat predictions and the response capability, making CNAPP even more proactive. Also, we have another thing that I anticipated, and that is the enhanced automations and orchestrations. As a cloud environment become more complex, which we keep saying from the beginning of this podcast, the automation and the orchestration capabilities of the CNAPP solutions will become even more sophisticated. This will involve not just the automated detections and response but also automated security policies enforcement across diverse and dynamic cloud environment. The goal here, the objective, will be to reduce the human error factor as much as possible, ensuring that security is kept at a pace with the speed of the cloud development and deployment. Then, with the increasing importance of data privacy and regulatory compliance worldwide, CNAPP solution will continue to evolve to offer more advanced compliance monitoring and governance tool. This will include a real-time compliance assessment, automated reporting, and more granular control of the data sovereignty and the privacy requirement, helping the organization to navigate the complex landscape of the global regulation more effectively. As the perimeter of the cloud environment expands, the identity and access management, also known the acronym IAM, will become even more central to CNAPP solutions. Future CNAPPs platform are expected to provide a more sophisticated identity verification methods and then, for such, be able to spot the loose permissions and then those that are not authorized to have access to sensitive data. As organization also adopts multi-cloud strategies and expands into the edge computing, CNAPP will extend its reach to provide comprehensive visibility and security control across all those dispersed environment. And this means securing not just the core cloud infrastructure but also the variety of endpoints and [inaudible 00:33:30] devices that constitute the modern computer landscape. Finally, the next phase of CNAPP will continue to emphasize the importance of embedding security-first mindset all across the organization level. This will involve not just the technical solution but also training, education, and cultural shift that prioritize security as a fundamental aspect of the business operations.

Erica Toelle: Thank you so much for those insights. Yuri, I'm curious, what's your thoughts about the future and what's next for CNAPP?

Yuri Diogenes: Well, Giulio already stole all the thunder that I had. But I'm [chuckles] I'm fine to give some additional insights, which is when we think about CNAPP, we are always thinking about AI incorporation, how we can leverage AI to CNAPP. And I will say that, while it's going to be extremely important to unblock all the scenarios that Giulio mentioned, it's really a journey. Most of the AI solutions that will be embedded to a CNAPP platform, they will start in the security hygiene perspective because it really, it should be where you start, right? How can I leverage AI, for example, to take even more smart decisions about how I can improve my security posture, how I can dig into my environment to understand what is critical? So those insights are extremely important. So having a more intelligent CNAPP that is powered by AI that will give precise insights, not only about things that are critical for your environment, but how to disrupt potential attacks, is imperative for customers to be aware. We see a lot of people talking about threat detection and things like that. And that's important. But many studies, including our own Microsoft defense report, have shown over the years that 98% of the attacks could have been prevented by basic security hygiene. And security hygiene not done correctly, when you improve your threat detection, what you are really doing is only reacting. So we need to change this mindset to be more proactive and leverage AI to enhance our capabilities to not only respond fast but also to prevent even before something happens. So that's my final message is make sure that we are leveraging AI in the beginning of the pipeline with the prevention and understanding the biggest risks for our environment.

Erica Toelle: Thank you. So I think that's just about all the time we have for today. To wrap up, we'd love to know, what is your personal motto or what words do you live by? Giulio, starting with you.

Guillio Astori: Thank you, Erica, so much. Thank you to the team. It's been a pleasure discussing the dynamic world of the security and the CNAPPs with you and Yuri and the rest of the team. So when it comes to a personal motto, well, there is one, one word that is guiding through my life. So that word is a Latin phrase, and I have on my signature, on my email signature, and that is "alea iacta est." The phrase is attributed to Julius Caesar. Besides the name Giulio, which is my name, that's why I like it, it's a phrase attributed to one of the greatest Roman general and emperor. The phrase translates as "the die is cast," and it symbolizes a point of no return, a commitment to move forward despite uncertainties, making the safe action towards achieving one goal. In the realm of cloud security and the broader landscape of technology, alea iacta est embodies the spirit with which we must approach innovation and security challenges. It's a reminder that, in the face of a rapidly evolving digital threats and the continuous transformation of the technical infrastructure, hesitations are not an option. We must make bold decisions, embrace new solutions like CNAPPs, and commit to a path of a proactive and comprehensive security strategies. My motto encourages us to cross our own Rubicons. That is the river that Julius Caesar has crossed and then also pronounced alea iacta est. Such is a commitment to fully embrace the journey ahead of us with the determination and readiness to adapt. It's about taking calculated risks, embracing changes, and leading the change in how we're shaping the security of our cloud environment in the future. So alea iacta est, the die is cast. Let's us embrace the future of a cloud security with boldness, innovations, a commitment to excellence. Thank you once again for this engaging conversation. And I really look forward to the continued evolution of our digital world and the security that underpins it.

Erica Toelle: Thank you, Giulio. How about you, Yuri? What's your motto or words to live by?

Yuri Diogenes: This was very poetic from Giulio. And I love that he brought up his Italian roots. So I'm going to bring up my Brazilian roots and words that I live by, and actually I tell this to many of my directs actually is "be comfortable in uncomfortable positions." And that comes from my years practicing Brazilian Jiu Jitsu where you have to practice attack and defense all the time. So, if you think about how we can correlate this with cybersecurity, the reality is a lot of people nowadays they are starting to get very uncomfortable talking about AI, very uncomfortable to embrace this new technology, very uncomfortable what this really means for their job. Maybe I'm going to lose my job because AI is going to take over. So be comfortable in those situations, embrace the change, and understand how to leverage your skills in combination with these new challenges and technologies in order to move forward, right? So every time that you use this mindset of be comfortable in uncomfortable situations, you really are able to prevail and face adversities with a much better attitude and understand that having that feeling of not be totally uncomfortable is okay. You're not going to know everything all the time. But you are in this continuous improvement process to learn new things and get better. So it's a journey. Be comfortable to be in uncomfortable situations.

Erica Toelle: Thank you both for joining us on the podcast today. I really appreciate your insights and knowledge. And have a great rest of your day. [ Music ] We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us at msftsecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus. [ Music ]